The detection identifies potential PureLogs Stealer activity through known IOCs, indicating an adversary may be exfiltrating sensitive credentials. SOC teams should proactively hunt for this behavior in Azure Sentinel to detect and mitigate credential theft early in the attack lifecycle.
IOC Summary
Malware Family: PureLogs Stealer Total IOCs: 2 IOC Types: ip:port
| Type | Value | Threat Type | First Seen | Confidence |
|---|---|---|---|---|
| ip:port | 172[.]93[.]143[.]151:8443 | botnet_cc | 2026-06-04 | 75% |
| ip:port | 5[.]101[.]84[.]150:4231 | botnet_cc | 2026-06-04 | 75% |
// Hunt for network connections to known malicious IPs
// Source: ThreatFox - PureLogs Stealer
let malicious_ips = dynamic(["5.101.84.150", "172.93.143.151"]);
CommonSecurityLog
| where DestinationIP in (malicious_ips) or SourceIP in (malicious_ips)
| project TimeGenerated, SourceIP, DestinationIP, DestinationPort, DeviceAction, Activity
| order by TimeGenerated desc// Hunt in Defender for Endpoint network events
let malicious_ips = dynamic(["5.101.84.150", "172.93.143.151"]);
DeviceNetworkEvents
| where RemoteIP in (malicious_ips)
| project Timestamp, DeviceName, RemoteIP, RemotePort, InitiatingProcessFileName, ActionType
| order by Timestamp desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DeviceNetworkEvents | Ensure this data connector is enabled |
Scenario: Legitimate System Monitoring Tool Usage
Description: A system administrator is using PureLogs (a legitimate system monitoring tool) to collect logs and monitor system performance.
Filter/Exclusion: Exclude processes or files associated with the legitimate PureLogs tool by checking the file path or process name against known PureLogs binaries.
Scenario: Scheduled Job for Log Aggregation
Description: A scheduled job runs via PowerShell or Task Scheduler to aggregate logs from multiple servers into a centralized logging system.
Filter/Exclusion: Filter out tasks that match known log aggregation scripts or use a process name filter to exclude PowerShell scripts associated with log collection tools.
Scenario: Admin Task for Log Analysis
Description: A system administrator is performing a manual log analysis using LogParser or PowerShell scripts to investigate potential security incidents.
Filter/Exclusion: Exclude processes initiated by admin accounts during known log analysis windows, or filter based on command-line arguments that match legitimate log analysis commands.
Scenario: Third-Party Log Management Integration
Description: The enterprise uses a third-party log management tool (e.g., Splunk, ELK Stack) that integrates with PureLogs for log forwarding.
Filter/Exclusion: Exclude traffic or processes related to known log management tools by checking the source IP, destination port, or process name against the known log management infrastructure.
Scenario: Automated Log Rotation or Archiving
Description: A scheduled job runs to rotate or archive log files using tools like logrotate or rsync.
Filter/Exclusion: Exclude processes that match known log rotation or archiving tools by checking the command-line arguments or process name against known log management utilities.